Uncategorized


Another year, another Oracle Open World has passed.
Great times –

  • Meeting friends – lot’s of friends from Israel this year
  • Attending some interesting presentations – especially the less official ones like Tanel’s Exadata internals
  • Seeing the drama – Salesforce, Larry – the soap opera continues
  • The icing on the cake – Sting and Tom Petty concert – was amazing
I really like this conference as it is close to home and very well attended.
A couple of pictures from the event using my crappy iPhone4 camera…
Sting

Sting

Tom Petty

Tom Petty

I’ve recently updated FuzzOr to include the following:

  • Better functionality when working with types (objects, tables, PL/SQL records, etc.)
  • A feature to generate automatic Hedgehog security rules from the scanning results.  For example, if you find a vulnerability, but you are unable to fix it (ie, you don’t own the code, the code is wrapped or you require lengthy QA cycles) you can now automatically protect the vulnerable code by installing Hedgehog Standard and importing the generated rules.

I’ve also revised the report to be much more concise and readable.

I’ve moved the download to Sentrigo’s site so if you wish to download the new version you can go to the download page. Please note that you’ll have to register.

Oracle has released an announcement about the upcoming January CPU. This time it contains very serious WebLogic and secure backup vulnerabilities, along with 10 vulnerabilities on the database side.  The total number of vulnerabilities is in line with the previous CPUs while the database related  vulnerabilities are a bit less than usual compared with the 15 in the October CPU, 11 in the July CPU and 15 in April.

It’s worth noting that none of the database server vulnerabilities are remotely exploitable which makes them a target for insiders or by using SQL injection in applications.

Some of the vulnerabilities are found in optional components like Oracle Spatial. The take-away here is as follows: Install only what you use, don’t install features you are not going to use.  Remove them if installed by default.

My advice here is to wait about a week or two to make sure that there are no issues with the patch and then patch as soon as possible – but only after ensuring that your applications are not breaking.

If you can’t patch quickly or unable to patch at all due to valid reasons , try virtual patching as a stop-gap solution.

As promised, this is the second of a three part blog entry discussing the propagation of middle-tier users to the database. This post will mainly concentrate on the Java side of things. I will show how to use Spring-framework’s excellent transactional support using AOP to add an additional advice, relying on ThreadLocal to pass application user identities from the web tier all the way to the database, and using annotations on the service layer to specify the module and action.

I strongly advise downloading the linked zipped source code at the end of the post if you’re planning on seriously reviewing the code.

(more…)